41

2.11.4 See Also
Chapter 14 of Active Directory, Second Edition for upgrading to Windows Server 2003, and
Recipe 2.10 for running adprep
Recipe 2.12 Checking Whether a Windows 2000
Domain Controller Can Be Upgraded to Windows
Server 2003
2.12.1 Problem
You want to determine if a domain controller is ready to be upgraded to Windows Server 2003.
2.12.2 Solution
Insert a Windows Server 2003 CD into the Windows 2000 domain controller or map a drive to
the files contained on the CD. Run the following command from the \i386 directory:
> winnt32 /checkupgradeonly
2.12.3 Discussion
The /checkupgradeonly switch simulates the initial steps for upgrading a server to Windows
Server 2003. It verifies, among other things, that adprep has completed and that any installed
applications are compatible with the new operating system.

42
2.12.4 See Also
Recipe 2.11 for determining if adprep has completed and MS KB 331161 (List of Fixes to Use
on Windows 2000 Domain Controllers Before You Run the Adprep/Forestprep Command)
Recipe 2.13 Raising the Functional Level of a
Windows Server 2003 Domain
2.13.1 Problem
You want to raise the functional level of a Windows Server 2003 domain. You should raise the
functional level of a domain as soon as possible after installing a new Windows Server 2003
domain or upgrading from Windows 2000 to take advantage of the new features and
enhancements.

2.13.2 Solution
2.13.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, browse to the domain you want to raise, right-click it, and select Raise
Domain Functional Level.
3. Select the new functional level and click OK.
After a few seconds you should see a message stating whether the operation was successful.
2.13.2.2 Using a command-line interface
To retrieve the current functional level, use the following command:
> dsquery * <DomainDN> -scope base -attr msDS-Behavior-Version
Or you can use the enumprop command found in the Windows 2000 Resource Kit.
> enumprop /ATTR:msDS-Behavior-Version "LDAP://<DomainDN>"
To change the functional level to Windows Server 2003, create an LDIF file called
raise_domain_func_level.ldf with the following contents:
dn: <DomainDN>
changetype: modify
replace: msDS-Behavior-Version
msDS-Behavior-Version: 2
-
Next, run the ldifde command to import the change.

43
> ldifde -i -f raise_domain_func_level.ldf
2.13.2.3 Using VBScript
' This code changes the functional level of the specified domain to
' the Windows Server 2003 domain functional level
' SCRIPT CONFIGURATION
strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com
' END CONFIGURATION


set objDomain = GetObject("LDAP://" & strDomain)
objDomain.GetInfo
if objDomain.Get("msDS-Behavior-Version") <> 2 then
Wscript.Echo "Changing domain to Windows Server 2003 functional level . . .
"
objDomain.Put "msDS-Behavior-Version", 2
objDomain.SetInfo
else
Wscript.Echo "Domain already at Windows Server 2003 functional level "
end if
2.13.3 Discussion
In Windows Server 2003 Active Directory, functional levels have replaced the domain mode that
was used in Windows 2000 to signify what operating systems are allowed to run on the domain
controllers in the domain. With Windows Server 2003, there are functional levels for both
domains and forests; whereas with Windows 2000, the domain mode only applied to domains.
The msDS-Behavior-Version attribute of the domainDNS object (e.g.,
dc=amer,dc=rallencorp,dc=com) holds the current domain functional level. Table 2-4 shows the
three functional levels, their associated msDS-Behavior-Version value, and the operating
systems that can be used on domain controllers in each.
Table 2-4. Windows Server 2003 domain functional levels
Functional level
msDS-Behavior-
Version
Valid operating systems
Windows 2000 0
Windows 2000Windows NT (when in mixed
mode)Windows Server 2003
Windows Server 2003
Interim
1 Windows NT 4.0Windows Server 2003

Windows Server 2003 2 Windows Server 2003
When a domain is at the Windows 2000 functional level, the domain can be in mixed mode or
native mode, as described in Recipe 2.9. Various new features of Windows Server 2003 Active
Directory are enabled with each domain functional level. See Chapter 1 of Active Directory,
Second Edition (O'Reilly) for more details.

44
The value contained in msDS-Behavior-Version is mirrored in the domainFunctionality
attribute of the RootDSE. That means you can perform anonymous queries against the RootDSE
of a domain to quickly determine what functional level it is currently at.

One of the benefits of the GUI solution is that if a problem is encountered,
you can save and view the output log, which will contain information on
any errors that were encountered.

2.13.4 See Also
Chapter 1 of Active Directory, Second Edition, Recipe 2.9 for changing domain mode, Recipe
2.10 for preparing a forest with adprep, Recipe 2.14 for raising the functional level of a forest,
and MS KB 322692 (HOW TO: Raise the Domain Functional Level in Windows Server 2003)
Recipe 2.14 Raising the Functional Level of a
Windows Server 2003 Forest
2.14.1 Problem
You want to raise the functional level of a Windows Server 2003 forest. You should raise the
functional level of a forest as soon as possible after installing a new Windows Server 2003 forest
or upgrading from a Windows 2000 forest to take advantage of the new features and
enhancements.
2.14.2 Solution
2.14.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right-click on Active Directory Domains and Trusts and select Raise

Forest Functional Level.
3. Select Windows Server 2003 Functional Level and click OK.
After a few seconds you should see a message stating whether the operation was successful.
2.14.2.2 Using a command-line interface
To retrieve the current forest functional level, use the following command:
> dsquery * <ForestRootDN> -scope base -attr msDS-Behavior-Version
Or you can use the enumprop command found in the Windows 2000 Resource Kit.
> enumprop /ATTR:msDS-Behavior-Version "LDAP://<ForestRootDN>"

45
To change the functional level to Windows Server 2003, create an LDIF file called
raise_forest_func_level.ldf with the following contents:
dn: cn=partitions,cn=configuration,<ForestRootDN>
changetype: modify
replace: msDS-Behavior-Version
msDS-Behavior-Version: 2
-
Next, run the ldifde command to import the change.
> ldifde -i -f raise_forest_func_level.ldf
2.14.2.3 Using VBScript
' This code changes the functional level of the the forest the
' user running the script is logged into to Windows Server 2003.

set objRootDSE = GetObject("LDAP://RootDSE")
set objDomain = GetObject("LDAP://cn=partitions," & _
objRootDSE.Get("configurationNamingContext") )
if objDomain.Get("msDS-Behavior-Version") <> 2 then
Wscript.Echo "Attempting to change forest to " & _
"Windows Server 2003 functional level . . . "
objDomain.Put "msDS-Behavior-Version", 2

objDomain.SetInfo
else
Wscript.Echo "Forest already at Windows Server 2003 functional level"
end if
2.14.3 Discussion
Windows Server 2003 forest functional levels are very similar to domain functional levels. In
fact, Table 2-4 applies to forest functional levels as well, except that the list of available
operating systems applies to all domain controllers in the forest not just a single domain. So even
if just one of the domains in the forest is at the Windows 2000 domain functional level, you
cannot raise the forest above the Windows 2000 forest functional level. If you attempt to do so
you will receive an error that the operation cannot be completed. After you raise the last
Windows 2000 domain functional level to Windows Server 2003, you can then raise the forest
functional level as well.
You may be wondering why there is a need to differentiate between forest and domain functional
levels. The primary reason is new features. Some new features of Windows Server 2003 Active
Directory require that all domain controllers in the forest are running Windows Server 2003. To
ensure all domain controllers are running a certain operating system throughout a forest,
Microsoft had to apply the functional level concept to forests as well as domains. For more
information on the new features that are available with each functional level, see Chapter 1 of
Active Directory, Second Edition (O'Reilly).
The forest functional level is stored in the
msDS-Behavior-Version attribute of the Partitions
container in the Configuration NC. For example, in the rallencorp.com forest, it would be stored

46
in cn=partitions,cn=configuration,dc=rallencorp,dc=com. The value contained in msDS-
Behavior-Version
is mirrored to the forestFunctionality attribute of the RootDSE, which
means you can find the functional level of the forest by querying the RootDSE.


One of the benefits of the GUI solution is that if a problem is encountered,
you can save and view the output log, which will contain information on
any errors that were encountered.

2.14.4 See Also
Chapter 1 of Active Directory, Second Edition, Recipe 2.9 for changing domain mode, Recipe
2.10 for preparing a forest with adprep, Recipe 2.13 for raising the functional level of a domain,
and MS KB 322692 (HOW TO: Raise the Domain Functional Level in Windows Server 2003)
Recipe 2.15 Creating a Trust Between a Windows NT
Domain and an AD Domain
2.15.1 Problem
You want to create a one-way or two-way nontransitive trust from an AD domain to a Windows
NT domain.
2.15.2 Solution
2.15.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right-click the domain you want to add a trust for and select Properties.
3. Click on the Trusts tab.
4. Click the New Trust button.
5. After the New Trust Wizard opens, click Next.
6. Type the NetBIOS name of the NT domain and click Next.
7. Assuming the NT domain was resolvable via its NetBIOS name, the next screen will ask
for the Direction of Trust. Select Two-way, One-way incoming, or One-way outgoing,
and click Next.
8. If you selected Two-way or One-way Outgoing, you'll need to select the scope of
authentication, which can be either Domain-wide or Selective, and click Next.
9. Enter and re-type the trust password and click Next.
10. Click Next twice to finish.
2.15.2.2 Using a command-line interface
> netdom trust <NT4DomainName> /Domain:<ADDomainName> /ADD[RETURN]

[/UserD:<ADDomainName>\ADUser> /PasswordD:*][RETURN]
[/UserO:<NT4DomainName>\NT4User> /PasswordO:*][RETURN]
[/TWOWAY]

47
For example, to create a trust from the NT4 domain RALLENCORP_NT4 to the AD domain
RALLENCORP, use the following command:
> netdom trust RALLENCORP_NT4 /Domain:RALLENCORP /ADD[RETURN]
/UserD:RALLENCORP\administrator /PasswordD:*[RETURN]
/UserO:RALLENCORP_NT4\administrator /PasswordO:*
You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay switch to the example.
2.15.3 Discussion
It is common when migrating from a Windows NT environment to Active Directory to set up
trusts to down-level master account domains or resource domains. This allows AD users to
access resources in the NT domains without providing alternate credentials. Windows NT does
not support transitive trusts and, therefore, your only option is to create a nontransitive trust. That
means you'll need to set up individual trusts between the NT domain and every Active Directory
domain that contains users that need to access the NT resources.
2.15.4 See Also
MS KB 306733 (HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows
NT 4.0 Domain), MS KB 308195 (HOW TO: Establish Trusts with a Windows NT-Based
Domain in Windows 2000), MS KB 309682 (HOW TO: Set up a One-Way Non-Transitive Trust
in Windows 2000), MS KB 325874 (HOW TO: Establish Trusts with a Windows NT-Based
Domain in Windows Server 2003), and MS KB 816301 (HOW TO: Create an External Trust in
Windows Server 2003)
Recipe 2.16 Creating a Transitive Trust Between Two
AD Forests

This recipe requires the Windows Server 2003 forest functional level in
both forests.


2.16.1 Problem
You want to create a transitive trust between two AD forests. This causes the domains in both
forests to trust each other without the need for additional trusts.
2.16.2 Solution
2.16.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right click the forest root domain and select Properties.
3. Click on the Trusts tab.
4. Click the New Trust button.

48
5. After the New Trust Wizard opens, click Next.
6. Type the DNS name of the AD forest and click Next.
7. Select Forest trust and click Next.
8. Complete the wizard by stepping through the rest of the configuration screens.
2.16.2.2 Using a command-line interface
> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive
/ADD[RETURN]
[/UserD:<Forest2AdminUser> /PasswordD:*][RETURN]
[/UserO:<Forest1AdminUser> /PasswordO:*]
For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest
othercorp.com, use the following command:
> netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive
/ADD[RETURN]
/UserD: /PasswordD:*[RETURN]
/UserO: /PasswordO:*
2.16.3 Discussion
A new type of trust called a forest trust was introduced in Windows Server 2003. Under
Windows 2000, if you wanted to create a fully trusted environment between two forests, you

would have to set up individual external two-way trusts between every domain in both forests. If
you have two forests with three domains each and wanted to set up a fully trusted model, you
would need nine individual trusts. Figure 2-4 illustrates how this would look.
Figure 2-4. Trusts necessary for two Windows 2000 forests to trust each other

With a forest trust, you can define a single one-way or two-way transitive trust relationship that
extends to all the domains in both forests. You may want to implement a forest trust if you merge
or acquire a company and you want all of the new company's Active Directory resources to be
accessible for users in your Active Directory environment and vice versa. Figure 2-5
shows a
forest trust scenario. To create a forest trust, you need to use accounts from the
Enterprise
Admins
group in each forest.

49
Figure 2-5. Trust necessary for two Windows Server 2003 forests to trust each
other

Recipe 2.17 Creating a Shortcut Trust Between Two
AD Domains
2.17.1 Problem
You want to create a shortcut trust between two AD domains in the same forest or in different
forests. Shortcut trusts can make the authentication process more efficient between two domains
in a forest.
2.17.2 Solution
2.17.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right-click the domain you want to add a trust for, and select Properties.
3. Click on the Trusts tab.

4. Click the New Trust button.
5. After the New Trust Wizard opens, click Next.
6. Type the DNS name of the AD domain and click Next.
7. Assuming the AD domain was resolvable via DNS, the next screen will ask for the
Direction of Trust. Select Two-way and click Next.
8. For the Outgoing Trust Properties, select all resources to be authenticated and click Next.
9. Enter and retype the trust password and click Next.
10. Click Next twice.
2.17.2.2 Using a command-line interface
> netdom trust <Domain1DNSName> /Domain:<Domain2DNSName> /Twoway /ADD[RETURN]
[/UserD:<Domain2AdminUser> /PasswordD:*][RETURN]
[/UserO:<Domain1AdminUser> /PasswordO:*]
To create a shortcut trust from the emea.rallencorp.com domain to the apac.rallencorp.com
domain, use the following netdom command:
> netdom trust emea.rallencorp.com /Domain:apac.rallencorp.com /Twoway
/ADD[RETURN]

50
/UserD: /PasswordD:*[RETURN]
/UserO: /PasswordO:*
2.17.3 Discussion
Consider the forest in Figure 2-6. It has five domains in a single domain tree. In order for
authentication requests for Domain 3 to be processed by Domain 5, the request must traverse the
path from Domain 3 to Domain 2 to Domain 1 to Domain 4 to Domain 5. If you create a shortcut
trust between Domain 3 and Domain 5, the authentication path is just a single hop from Domain
3 to Domain 5. To create a shortcut trust, you must be a member of the Domain Admins group in
both domains, or a member of the Enterprise Admins group.
Figure 2-6. Shortcut trust

Recipe 2.18 Creating a Trust to a Kerberos Realm

2.18.1 Problem
You want to create a trust to a Kerberos realm.
2.18.2 Solution
2.18.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right-click the domain you want to add a trust for and select Properties.
3. Click on the Trusts tab.
4. Click the New Trust button.
5. After the New Trust Wizard opens, click Next.
6. Type the name of the Kerberos realm.
7. Select the radio button beside Realm Trust and click Next.
8. Select either Transitive or Nontransitive and click Next.
9. Select Two-way, One-way incoming, or One-way outgoing and click Next.
10. Enter and retype the trust password and click Next.
11. Click Next and click Finish.